Description
Authentication for ZLAN5143D can be bypassed by directly accessing internal URLs.
Published: 2026-02-11
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass for critical function
Action: Patch Update
AI Analysis

Impact

ZLAN5143D devices allow an attacker to bypass authentication by directly accessing internal URLs, exposing sensitive control interfaces. The lack of proper authentication means an adversary can execute privileged commands, alter configuration, or gain full control of the device. The weakness maps to the CWE‑306 category, indicating improper or missing authentication safeguards. The immediate consequence is unauthorized use of critical functions which could compromise both the integrity of the device and any processes it manages.

Affected Systems

The vulnerability is limited to devices produced by ZLAN Information Technology Co., specifically the ZLAN5143D model. No versioning information is disclosed, so all units of this model are considered potentially affected.

Risk and Exploitability

The CVSS base score of 9.3 classifies this flaw as critical, underscoring its potential impact. However, the EPSS score is reported as less than 1%, suggesting that, in the observed period, the likelihood of exploitation remains low. The flaw is not listed in CISA’s KEV catalog, implying that no widespread active exploits have been identified. The likely attack vector is internal network communication, where an adversary can reach the vulnerable URLs without authentication. Manipulating these endpoints can grant unauthorized control over the device’s critical functions.

Generated by OpenCVE AI on April 18, 2026 at 12:40 UTC.

Remediation

Vendor Workaround

ZLAN Information Technology Co. did not respond to CISA's attempts at coordination. Users of ZLAN5143D devices are encouraged to contact ZLAN and keep their systems up to date. https://www.zlmcu.com/en/contatct_us.htm https://www.zlmcu.com/en/contatct_us.htm

OpenCVE Recommended Actions

  • Apply any vendor‑supplied firmware or update that addresses the authentication bypass.
  • Configure network firewalls or VLAN segmentation to prevent unauthenticated access to the internal URLs exposed by the device.
  • If a vendor update is not yet available, contact ZLAN Information Technology Co. and keep systems up to date as a temporary mitigation.
  • Monitor device logs for unexpected or unauthorized traffic to internal URLs and report suspicious activity to security operations.

Generated by OpenCVE AI on April 18, 2026 at 12:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Zlan Information Technology Co.
Zlan Information Technology Co. zlan5143d
Vendors & Products Zlan Information Technology Co.
Zlan Information Technology Co. zlan5143d

Wed, 11 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description Authentication for ZLAN5143D can be bypassed by directly accessing internal URLs.
Title ZLAN Information Technology ZLAN5143D Missing Authentication for Critical Function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Zlan Information Technology Co. Zlan5143d
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-02-11T16:47:23.667Z

Reserved: 2026-01-29T21:07:29.846Z

Link: CVE-2026-25084

cve-icon Vulnrichment

Updated: 2026-02-11T16:47:06.196Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T17:16:13.243

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25084

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:45:45Z

Weaknesses